IMPROVED DATA SECURITY IN AN AUTOMATED DATA STORAGE LIBRARY 
FIELD OF THE INVENTION 

[1] The present invention relates generally to automated data storage libraries, and 
in particular, to providing a higher level of security for data stored on data storage 
media. 

BACKGROUND OF THE INVENTION 

[2] Automated data storage libraries provide a means for storing large quantities of 
data on data storage media that are not permanently mounted in data storage 
drives, but are stored in a readily available form on storage shelves. One or more 
robot accessors retrieve selected data storage media from storage shelves and 
provide them to data storage drives. Typically, data stored on data storage media of 
an automated data storage library, once requested, is needed quickly. Thus, it is 
desirable that an automated data storage library be maintained in an operational 
condition as much as possible, such as the well known "24x7" availability. 

[3] The data storage media often contains company sensitive information such as 
salaries, trade secrets, financial information, etc. Some customers desire more data 
storage media protection or security than just locking it away in an automated data 
storage library. For example, a customer may want protection from removing a data 
storage cartridge from one library and placing it into another library or drive for 
reading and/or overwriting the data on the storage media. The issue may be greater 
with partitioned libraries where there is a chance that the data storage media may be 
accidentally, or intentionally, moved from one logical library into another logical 
library. 

[4] U.S. Patent Application Number 09/977,159, filed October 11, 2001, 
(incorporated herein by reference) addresses some of these problems by encrypting 
all or most of the data on the storage media but this requires special drive hardware. 
In addition, since the data is encrypted on the data storage media, it becomes very 
difficult to move the data storage media to a drive or system that does not support 
the encryption scheme. To do this would require that the entire contents of the data 
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storage media be read, decrypted, and then written again. Still further, 09/977,159 
does not address encryption key management between multiple drives and/or 
multiple data storage cartridges. U.S. Patent 6,104,561 describes a method that 
writes a code in the data of a data storage medium to prevent unauthorized reading 
and/or writing of the data storage media but this requires writing of the data storage 
medium in order to change the security features. 
[5] Therefore, a need remains for improved data storage media security in an 
automated data storage library without the limitations of previous efforts. 

SUMMARY OF THE INVENTION 

[6] In a first embodiment, the automated data storage library modifies the contents of 
the cartridge memory or the contents of the media of one or more data storage 
cartridges so that the data is normally inaccessible to a data storage drive. When 
the data storage media is needed by the library, a correction or correction algorithm 
is sent to the drive to allow it to access the data storage media for read and/or write 
operations. Alternatively, the contents of the cartridge memory or the contents of the 
media are modified to make the data accessible. If an attempt to access data 
storage media is made, by removing a cartridge from a library and inserting it into a 
drive for example, the drive will not be able to read from and/or write to the data 
storage media. 

[7] In a second embodiment, the library is partitioned into two or more logical 
libraries. The library writes an identifier into the cartridge memory of one or more 
data storage cartridges. The identifier is associated with one or more logical 
libraries. The library communicates the identifier to one or more drives and the one 
or more drives use the identifier to prevent or allow read and/or write access to the 
data storage medium. If a data storage cartridge is moved into the drive of a 
different logical library then the drive will prevent read and/or write access to the 
data storage medium. 

[8] In a third embodiment, the library writes an identifier into the cartridge memory of 
one or more data storage cartridges. The identifier is associated with one or more 
physical libraries. The library communicates the identifier to one or more drives and 
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the one or more drives use the identifier to prevent or allow read and/or write access 
to the data storage medium. If a data storage cartridge is moved into the drive of a 
different physical library then the drive will prevent read and/or write access to the 
data storage medium. 

[9] In a fourth embodiment, the second and third embodiments are combined to 
provide maximum security and protection for a partitioned library. Accidental or 
intentional data storage media access is prevented from different logical libraries 
within the same physical library or within another physical library. 

[10] For the second, third, and forth embodiments, library association information is 
written to each cartridge memory as described in Fig. 8. Library association 
information is also written to each drive as described in the flowchart of Fig. 9. The 
drive compares the association information in the cartridge memory to the 
association information in the drive and determines if the media is accessible, as 
described in the flowchart of Fig. 10. 

[11] In a fifth embodiment, this invention may be combined with U.S. Patent 
Application Number 09/977,159, filed October 11, 2001 (incorporated herein by 
reference) to provide an automated method of securing the data on data storage 
media in a removable media system. In this case, the keys for gaining access to the 
data on the data storage medium may be managed in part, or in full, by the 
automated data storage library. The library may provide the keys to the data storage 
drive during a move operation, after a library configuration, after a drive or library 
power-on, or at some other time. 

[12] In all embodiments, the cartridge memory may be modified directly by a 
component of the library, such as a cartridge memory reader/writer or interface 
located on or about the library accessor. Alternatively, the cartridge memory may be 
modified indirectly by using one or more data storage drives. The modifications to 
the cartridge memory may be encrypted or may require encryption/decryption keys 
to access. The library may provide a data storage media export operation that 
removes the cartridge memory access limitations. This may be especially desirable 
where data protection is more important than data security. In this way, the data 
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storage media may be accessible by drives and libraries which would not normally 
allow access with the full protection and security mechanisms of this invention. 

[13] The physical and logical library association information of the second, third and 
fourth embodiments may be better understood by referring to U.S. Patent 
Application Number 10/356,577, filed February 3, 2003 and U.S. Patent Application 
Number 10/356,487, filed February 3, 2003 (both of which are incorporated herein 
by reference). The communication to the drive may be encrypted or may require 
encryption/decryption keys. 

[14] Certain aspects of this invention are not intended to provide maximum data 
security which would require encryption of the actual data on the storage medium. 
Under such a system, either special drive hardware would be required or 
performance and data storage media capacity would be impacted. If decryption 
keys are lost or destroyed then the data would be totally inaccessible. In addition, 
moving the data storage media from one library to another would require movement 
of the decryption keys, making it easier for the keys to be misappropriated. 

[15] This invention improves upon existing automated data storage libraries by 
offering a higher level of security and protection whereby data storage media may 
not be read from and/or written to, accidentally or intentionally, without overriding a 
protection mechanism. 

[16] This invention may be combined with other, higher security, solutions to provide 
an overall system solution. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[17] Fig. 1 is a block diagram of an automated data storage library controller and/or a 
drive controller in which the present invention may be incorporated; 

[18] Fig. 2 illustrates a multi-frame automated data storage library in which the 
present invention may be incorporated; 

[19] Fig. 3 illustrates the interior of one frame of the automated data storage library of 
Fig. 2; 

[20] Fig. 4 is a block diagram of a three-frame automated data storage library, 
employing a distributed system of modules with a plurality of processor nodes; 
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[21] Figs. 5A and 5B illustrate front and rear views, respectively, of a removable 
media tape drive; 

[22] Figs. 6A and 6B illustrate a data storage cartridge with a cartridge memory for 

use with the present invention; 
[23] Fig. 7 is a flow chart of one method of the present invention; 
[24] Fig. 8 is a flow chart of another method of the present invention; 
[25] Fig. 9 is a flow chart of another method of the present invention; 
[26] Fig. 10 is a flow chart of a configuration operation of methods of the present 

invention; 

[27] Fig. 11 is a flow chart of the process of checking a cartidge memory in 

conjunction with a move operation; and 
[28] Fig. 12 is a flow chart of the process of managing encryption and/or decryption 

keys in conjunction with a move operation. 

DETAILED DESCRIPTION OF THE INVENTION 

[29] An automated data storage library typically contains one or more controllers to 
direct the operation of the automated data storage library. In addition, each data 
storage drive within the library typically comprises one or more controllers to direct 
the operation of the data storage drive. The controller(s) may take many different 
forms and may comprise an embedded system, a distributed control system, a 
personal computer, workstation, etc. FIG. 1 shows a typical controller 100 with a 
processor 102, RAM (Random Access Memory) 103, nonvolatile memory 104, 
device specific circuits 101, and I/O interface 105. Alternatively, the RAM 103 
and/or nonvolatile memory 104 may be contained in the processor 102 as could the 
device specific circuits 101 and I/O interface 105. The processor 102 may comprise 
an off the shelf microprocessor, custom processor, FPGA (Field Programmable Gate 
Array), ASIC (Application Specific Integrated Circuit), discrete logic, etc. The RAM 
(Random Access Memory) 103 is typically used to hold variable data, stack data, 
executable instructions, etc. The nonvolatile memory 104 may comprise any type of 
nonvolatile memory such as EEPROM (Electrically Erasable Programmable Read 
Only Memory), flash PROM (Programmable Read Only Memory), battery backup 
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RAM, hard disk drive, etc. The nonvolatile memory 104 is typically used to hold the 
executable firmware and any nonvolatile data. The I/O interface 105 is a 
communication interface that allows the processor 102 to communicate with devices 
external to the controller. Examples may comprise serial interfaces such as RS-232 
or USB (Universal Serial Bus), SCSI (Small Computer Systems Interface), Fibre 
Channel, etc. The device specific circuits 101 provide additional hardware to enable 
the controller 100 to perform unique functions such as motor control of a cartridge 
gripper, etc. The device specific circuits 101 may comprise electronics that provide 
Pulse Width Modulation (PWM) control, Analog to Digital Conversion (ADC), Digital 
to Analog Conversion (DAC), etc. In addition, some of all of the device specific 
circuits 101 may reside outside the controller 100. 
[30] Fig. 2 illustrates an automated data storage library 10 with a left hand service bay 
13, one or more storage frames 11, and a right hand service bay 14. As will be 
discussed, a frame may comprise an expansion component of the library 10. 
Frames may be added or removed to expand or reduce the size and/or functionality 
of the library 10. Frames may comprise additional storage shelves, drives, 
import/export stations, accessors, operator panels, etc. Fig. 3 shows an example of 
a storage frame 1 1 , which also is the minimum configuration of the library 10. In this 
minimum configuration, there are no redundant accessors or service bays. The 
storage frame 11 is arranged for accessing data storage media (not shown) in 
response to commands from at least one external host system (not shown), and 
comprises a plurality of storage shelves 16, on a front wall 17 and a rear wall 19, for 
storing data storage cartridges which contain data storage media; at least one data 
storage drive 15 for reading and/or writing data from/to the data storage media; and 
a first accessor 18 for transporting the data storage media between the plurality of 
storage shelves 16 and the data storage drive(s) 15. The storage frame 11 may 
optionally comprise an operator panel 23 or other user interface, such as a web- 
based interface, which allows a user to interact with the library 10. The storage 
frame 11 may optionally comprise an import/export station 24, which allows data 
storage cartridges to be inserted into and/or removed from the library 10 without 
disrupting library operation. The library 10 may comprise one or more storage 
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frames 11, each having storage shelves 16 accessible by first accessor 18. As 
described above, the storage frames 11, may be configured with different 
components depending upon the intended function. One configuration of the 
storage frame 11 may comprise storage shelves 16, data storage drive(s) 15, and 
other optional components to store and retrieve data from the data storage 
cartridges. The first accessor 18 comprises a gripper assembly 20 for gripping one 
or more data storage cartridges and may include a bar code scanner 22 or other 
reading system, such as a smart card reader or the like, mounted on the gripper 20 
to "read" identifying information about the data storage media. 
[31] Fig. 4 illustrates an embodiment of an automated data storage library 10 of Figs. 
2 and 3, which employs a distributed system of modules with a plurality of processor 
nodes. An example of an automated data storage library which may implement the 
present invention is the IBM 3584 UltraScalable Tape Library. The library 10 of Fig. 
4 comprises one or more storage frames 11, a left hand service bay 13 and a right 
hand service bay 14. 

[32] The left hand service bay 13 is shown with a first accessor 18. As discussed 
above, the first accessor 18 comprises a gripper assembly 20 and may include a 
reading system 22 to "read" identifying information about the data storage media. 
The right hand service bay 14 is shown with a second accessor 28. The second 
accessor 28 comprises a gripper assembly 30 and may include a reading system 32 
to "read" identifying information about the data storage media. In the event of a 
failure or other unavailability of the first accessor 18, or its gripper 20, etc., the 
second accessor 28 may perform all of the functions of the first accessor 18. The 
two accessors 18, 28 may share one or more mechanical paths or they may 
comprise completely independent mechanical paths. In one example, the accessors 
18, 28 may have a common horizontal rail with independent vertical rails. The first 
accessor 18 and the second accessor 28 are described as first and second for 
descriptive purposes only and this description is not meant to limit either accessor to 
an association with either the left hand service bay 13, or the right hand service bay 
14. Nor is the description herein intended to limit the number of accessors to two or 
to any other specific number. 
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[33] In the library 10, first accessor 18 and second accessor 28 moves their grippers 
in at least two directions, called the horizontal "X" direction and vertical "Y" direction, 
to retrieve and grip, or to deliver and release the data storage media at the storage 
shelves 16 and the data storage drives 15. 

[34] The library 10 receives commands from one or more host systems 40, 41 or 42. 
The host systems, such as host servers, communicate with the library 10 directly, 
e.g., on path 80, through one or more control ports (not shown), or through one or 
more data storage drives 15 through lines 70, providing commands to access 
particular data storage media and move the media, for example, between the 
storage shelves 16 and the data storage drives 15. The commands are typically 
logical commands identifying the media and/or logical locations for accessing the 
media. 

[35] The library 10 is controlled by a distributed control system receiving the logical 
commands from hosts, determining the required actions, and converting the actions 
to physical movements of first accessor 18 and/or second accessor 28. The 
distributed control system may comprise a plurality of processor nodes, each having 
one or more processors. In one example of a distributed control system, a 
communication processor node 50 may be located in a storage frame 11. The 
communication processor node provides a communication link for receiving the host 
commands, either directly or through the drives 15, via at least one external 
interface, e.g., coupled to line 80. 

[36] The communication processor node 50 may additionally provide a 
communication link 70 for communicating with the data storage drives 15. The 
communication processor node 50 may be located in the frame 1 1 , close to the data 
storage drives 15. Additionally, in an example of a distributed processor system, 
one or more additional work processor nodes are provided, which may comprise, for 
example, a work processor node 52 that may be located at first accessor 18, and 
which is coupled to the communication processor node 50 via a network 60, 157. 
Each work processor node may respond to received commands that are broadcast 
to the work processor nodes from any communication processor node, and the work 
processor node may also direct the operation of first accessor 18, providing move 
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commands. An XY processor node 55 may be provided and may be located at an 
XY system of first accessor 18. The XY processor node 55 is coupled to the 
network 60, 157, and is responsive to the move commands, operating the XY 
system to position the gripper 20. 

[37] Also, an operator panel processor node 59 may be provided at the optional 
operator panel 23 for providing an interface for communicating between the operator 
panel and the communication processor node 50, the work processor node 52, and 
the XY processor node 55. 

[38] A network, for example comprising a common bus 60 couples the various 
processor nodes. The network may comprise a robust wiring network, such as the 
commercially available CAN (Controller Area Network) bus system, which is a multi- 
drop network, having a standard access protocol and wiring standards, for example, 
as defined by CiA, the CAN in Automation Association, Am Weich Selgarten 26, D- 
91058 Erlangen, Germany. Other similar networks, such as Ethernet, or a wireless 
network system, such as RF or infrared, may also be employed in the library 10. 

[39] The communication processor node 50 is coupled to each of the data storage 
drives 15 of a storage frame 1 1 , via lines 70, communicating with the drives and with 
host systems 40, 41 and 42. Alternatively, the host systems may be directly coupled 
to the communication processor node 50, at input 80 for example, or to control port 
devices (not shown) which connect the library 10 to the host system(s) with a library 
interface similar to the drive/library interface. Various communication arrangements 
may be employed for communication with the hosts and with the data storage drives. 
In the example of Fig. 4, host connections 80 and 81 are SCSI busses. The bus 82 
comprises an example of a Fiber Channel-Arbitrated Loop which is a high speed 
serial data interface, allowing transmission over greater distances than the SCSI bus 
systems. Alternatively, the data storage drives may be coupled to the 
communication processor node 50 through one or more networks, such as a 
common bus network. 

[40] The data storage drives 15 may be in close proximity to the communication 
processor node 50, and may employ a short distance communication scheme, such 
as SCSI, or a serial connection, such as RS-422. The data storage drives 15 are 
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thus individually coupled to the communication processor node 50 by means of lines 
70. 

[41] Additional storage frames 11 may be provided and each is coupled to the 
adjacent storage frame. Any of the storage frames 1 1 may comprise communication 
processor nodes 50, storage shelves 16, data storage drives 15, and networks 60. 

[42] Further, the automated data storage library 10 may additionally comprise a 
second accessor 28 shown, for example, in a right hand service bay 14 of Fig. 4. 
The second accessor 28 may comprise a gripper 30 for accessing the data storage 
media, and an XY system 255 for moving the second accessor 28 The second 
accessor 28 may run on the same horizontal mechanical path as first accessor 18, 
or on an adjacent path. The exemplary control system additionally comprises an 
extension network 200 forming a network coupled to network 60 of the storage 
frame(s) 1 1 and to the network 157 of left hand service bay 13. 

[43] In Fig. 4 and the accompanying description, the first and second accessors are 
associated respectively with the left hand service bay 13 and the right hand service 
bay 14, respectively. This is for illustrative purposes and there may not be an actual 
association. In addition, the network 157 may not be associated with the left hand 
service bay 13 and the network 200 may not be associated with the right hand 
service bay 14. Depending upon the design of the library 10, it may not be 
necessary to have a left hand service bay 13 and/or a right hand service bay 14. 

[44] Figs. 5A and 5B illustrate the front 501 and rear 502, respectively, of the drive 1 5. 
In this example, the drive 15 is a removable media LTO (Linear Tape Open) tape 
drive mounted in a hot swap canister. However, the data storage drive of this 
invention may comprise any removable media drive such as magnetic or optical tape 
drives, magnetic or optical disk drives, electronic media drives, or any other 
removable media drive as is known in the art. In addition, the data storage drive of 
this invention may comprise any fixed media drive such as hard disk drives or any 
other fixed media drive as is known in the art. In this case, the fixed media drives 
may be moved around the library in a similar way that the present invention 
describes the movement of media. 
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[45] Fig. 6A illustrates an example of a data storage cartridge 600 with a cartridge 
memory 610. Fig. 6B illustrates an example of a tape cartridge 600 with a cartridge 
memory 610, media reel 614, reel hub 613 and media 612 all shown in phantom. 
While Fig. 6B illustrates tape media, media 612 may comprise any type of data 
storage media as is known to those of skill in the art. The contents of the cartridge 
memory 610 may be accessed (written to and/or read from) by a cartridge memory 
interface, such as a cartridge memory interface integrated into the drive 15. The 
cartridge memory interface may also be integrated into other components of the 
library 10, such as a robot accessor. 

[46] In a first embodiment, the automated data storage library 10 modifies the 
contents of the cartridge memory 610 or the contents of the media 612 of one or 
more data storage cartridges 600 so that the data stored on the media 612 is 
normally inaccessible to a data storage drive. When the data storage cartridge 600 
is needed by the library 10, a correction or correction algorithm is sent to the drive to 
allow it to access the data storage media for read and/or write operations. 
Alternatively, the contents of the cartridge memory 610 or the contents of the media 
612 are modified to make the data accessible. If an attempt to access data storage 
media is made, by removing a cartridge 600 from a library and inserting into a drive 
for example, the data storage media 612 will not be readable or writable. 

[47] Fig. 7 illustrates the method of the first embodiment upon insertion of a data 
storage cartridge into the library 10. The data storage cartridge 600 may be inserted 
through a special purpose import/export station or it may be inserted by simply 
opening a library door and placing the media on a storage shelf or in a drive. The 
procedures set forth in the flow chart may also be used when the library 10 is 
initialized or brought up for the first time. The procedures may be executed by a 
host computer, by the library 10, by an operator, or by some other means. The 
media insert operation is started at step 701. The media insert operation may be 
initiated by a host computer, by the library 10, by an operator, or by some other 
means. The cartridge memory 610 is modified in step 702. The cartridge memory 
610 modification prevents the media 612 from being accessed without explicit action 
to reverse the modification. For example, the LTO (Linear Tape Open) cartridge 
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memory format provides a data field in the cartridge memory which specifies the 
media generation. A value may be placed in this field which specifies a media 
generation that does not exist. Thus, if the data storage media 600 is accidentally, 
or intentionally, inserted into an LTO drive, the media would not be supported and 
the drive would prevent data access. Alternatively, the contents of the cartridge 
memory 610 may be intentionally corrupted so that the data storage cartridge 600 
would be rejected by a data storage drive. The cartridge memory 610 may be 
modified by a component of the library 10. For example, the library accessor 18 
may contain a cartridge memory interface to modify the cartridge memory 610. 
Another alternative is that the cartridge memory 610 may be modified by the 
cartridge memory interface in the data storage drive 15. For example, the library 10 
may be used to move the data storage media 600 into a drive 15 and the drive 15 
would be instructed to modify the cartridge memory 610. In another variation, the 
actual media 612 may be modified, rather than the cartridge memory 610. In this 
case, a component of the library 10, such as the data storage drive 15, may have 
the means to modify the contents of the data storage media 612. Herein, to simplify 
the description and claims, any references to cartridge memory may also refer to 
data storage medium since this invention may be equally applied to modification 
and/or corruption of both. In addition, any references to a cartridge memory 
interface may also refer to a data storage media interface for the same reasons. In 
step 703, a check is made to see if any other data storage cartridges require 
modification of the cartridge memory 610 or the data storage media 612. If there are 
no additional cartridges to modify, as indicated in step 703, control moves to step 
705 where the media insert operation is completed. If on the other hand, there are 
additional data storage cartridges to modify, as indicated in step 703, then control 
moves to step 704 where the next data storage cartridge is selected. Control then 
moves to step 702 where the newly selected cartridge is appropriately modified. It 
will be appreciated that changes may be made to the process without deviating from 
the scope of the invention. 
[48] Fig. 8 illustrates a method of the first embodiment in which data storage media is 
moved to or unloaded from a data storage drive 15 or in which data storage media is 
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exported from the library 10. This process illustrated in the flowchart may be 
executed by a host computer, by the library 10, by an operator, or by some other 
means. The data storage media move or unload operation begins at step 801 . This 
operation may be initiated by a host computer, an operator, the library controller or 
from some other source. In step 802, the operation is checked to see if it involves 
the movement of data storage media to a drive 1 5. If the operation involves a move 
to a drive 15 as indicated in step 802, then control moves to step 803 in which a 
correction or correction algorithm is sent to the drive. The correction or correction 
algorithm comprises information that allows the drive to read and/or write the data 
storage media without removing the modification or corruption that has been applied 
to the cartridge memory 610 or the media 612. For example, in the case where a 
cartridge memory media generation field has been modified to make the data on the 
storage medium inaccessible, the correct generation field would now be provided by 
the library to allow media access by the drive. In another example, in the case 
where the contents of the cartridge memory 610 has been corrupted to prevent 
access to data stored in the data storage media, the algorithm to correct the 
cartridge memory 610 would now be sent by the library to allow access to the data. 
As a more specific example, the library may have applied a logical exclusive-or 
operation to all or part of the cartridge memory to prevent access to the data storage 
medium. The library may send the exclusive-or pattern to the drive so the pattern 
can be used to remove the corruption from the cartridge memory data. The 
correction information that the library sends to the drive may provide enough 
information to allow the drive to apply the corruption or modification from step 702 
(Fig. 7) and/or step 806 (Fig. 8). This is because the modified information from 
cartridge memory 610 may comprise information that is normally updated during 
read and/or write operations to the media. The drive may be required to provide an 
updated cartridge memory and it may be desired that the update is protected with 
the same algorithm that was used in prior steps. Step 803 may occur at any time. 
For example, correction information may be provided to the drive at power-on time 
or at library configuration. If the drive has the ability to store the correction 
information in nonvolatile memory then it may not be necessary to send new 
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correction information until the library configuration has changed. Herein, correction, 
correction algorithm, and correction information all refer to the same thing. Referring 
back to Fig. 8, alternatively, at step 803, the cartridge memory 610 or media 612 
may be restored to a state where the drive 15 can access the media. For example, 
in the case where a cartridge memory media generation field has been modified to 
make the data on the storage medium inaccessible, the generation field would now 
be restored to a correct value for media access. In another example, in the case 
where the contents of the cartridge memory 610 has been corrupted to prevent 
access to data stored in the data storage media, the corrupted cartridge memory 
610 would now be corrected to allow access to the data. After step 803, control 
moves to step 804 where the move operation is completed. The actual move 
operation may occur prior to step 804. For example, if the drive is used to modify 
the cartridge memory then the data storage cartridge may be moved to the drive at 
or before step 803. If however, the operation does not involve a move to a drive 15 
as indicated in step 802, then control moves to step 805 where the operation is 
checked to see if it involves the unload of data storage media from a drive 15. The 
actual unload operation may occur prior to step 807. For example, if a component of 
the library is used to modify the cartridge memory then the cartridge may be 
unloaded from the drive at or before step 806. If the operation involves an unload 
from a drive 15 as indicated in step 805, then control moves to step 806 where the 
correction information is revoked or removed from the drive. This may be the result 
of a library request to remove the correction information or the drive may perform 
this action as the result of a media eject or some other media operation. 
Alternatively, it may be desired to maintain correction information for a longer period 
of time. For example, the drive may maintain the correction information until a 
media export operation, a drive or library power cycle, etc. Alternatively, if the actual 
contents of the cartridge memory were modified in step 803 then the cartridge 
memory 610 may be modified in step 806 so that the data in the cartridge would not 
be accessible. As described above, this may comprise the modification of a 
generation field of the cartridge memory 610, corrupting the contents of the cartridge 
memory 610 or some other modification of the cartridge memory 610. In addition, 
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this may involve modification or corruption of the data storage media 612 as 
discussed above. After step 806, control moves to step 807 where the unload 
operation is completed. If the operation does not involve an unload from a drive 15 
as indicated in step 805, then control moves to step 808 where the operation is 
checked to see if it involves an export of data storage cartridge 600 from the library. 
An export refers to the removal of data storage media 600 from the library 10. For 
example, many libraries comprise an import/export station 24 (Figs. 2 and 3) where 
data storage cartridges may be moved to/from the library 10 by an operator. If the 
operation involves an export operation as indicated in step 808, then control moves 
to step 810 where the cartridge memory 610 is restored to a state where the drive 15 
can access the media. For example, in the case where a cartridge memory media 
generation field has been modified to make the data on the storage medium 
inaccessible, the generation field would now be restored to a correct value for media 
access. In another example, in the case where the contents of the cartridge memory 
610 has been corrupted to prevent access to data stored in the data storage media 
600, the corrupted cartridge memory 610 would now be corrected to allow access to 
the data. Making the data on the data storage media 600 accessible during an 
export operation may be desired to allow the media to be moved from one library to 
another. Additional security may be provided to protect from accidental or 
intentional exports of data storage media. For example, an operator may be 
required to enter a password at a user interface before initiating the export 
operation. In addition, the library may offer different levels of export. For example, 
there may be one with corrected cartridge memory 610 so that the data in the data 
storage media 600 is accessible after export and one where no correction is made to 
the cartridge memory 610 such that the data remains inaccessible after export. 
Referring back to Fig. 8, after the cartridge memory 610 is modified to make the data 
in the data storage media 600 accessible in step 810, control moves to step 811 
where the operation is completed. If however, the operation does not involve an 
export operation as indicated in step 808, then control moves to step 809 where the 
operation is completed. It will be appreciated that changes may be made to the 
process illustrated by the flowchart without deviating from the scope of the invention. 
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For example, step 808 may be combined with step 802 where a move to a drive 15 
or a move involving an export would both result in the same action of steps 803 and 
804. In this case, steps 810 and 811 would be eliminated. In another example, it 
may not be desired to support exports of unprotected media so steps 808, 810 and 
81 1 may be eliminated. In this case, a "NO" answer from step 805 would result in 
the execution of step 809. 
[49] In a second embodiment, the library 10 is partitioned into two or more logical 
libraries. The library 10 writes an identifier into the cartridge memory 610 of one or 
more data storage cartridges 600. The identifier is associated with one or more 
logical libraries. The library 10 communicates the identifier to one or more drives 15 
which use the identifier to prevent or allow read and/or write access to the data 
storage media. If a data storage cartridge is moved into the drive of a different 
logical library, then that drive will prevent read and/or write access to the data 
storage media. The second embodiment may be combined with the first 
embodiment. For example, the cartridge memory may be modified or corrupted as 
discussed above. A match between the identifier in the cartridge memory and the 
identifier in the drive may comprise allowing the contents of the media to be 
accessed. 

[50] In a third embodiment, the library 10 writes an identifier into the cartridge memory 
610 of one or more data storage cartridges. The identifier is associated with one or 
more physical libraries. The library 10 communicates the identifier to one or more 
drives 15 which store and use the identifier to prevent or allow read and/or write 
access to the data storage media. If a data storage cartridge is moved into the drive 
15 of a different physical library then that drive 15 will prevent read and/or write 
access to the data storage media. The second embodiment may be combined with 
the first embodiment. For example, the cartridge memory may be modified or 
corrupted as discussed above. A match between the identifier in the cartridge 
memory and the identifier in the drive may comprise modification to the cartridge 
memory to allow the contents of the media to be accessed. 

[51] In a fourth embodiment, the second and third embodiments may be combined to 
provide still further security and protection for a partitioned library. It will prevent 
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accidental or intentional data storage media access by different logical libraries 
within the same physical library or by another physical library. An example of storing 
physical and logical library association information in a cartridge memory can be 
seen by referring to U.S. Patent Application Number 10/356,577, filed February 3, 
2003 and U.S. Patent Application Number 10/356,487, filed February 3, 2003. 
Library association information is written to each cartridge as described in the 
flowchart of Fig. 9. Library association information is also written to a memory in 
each drive 15 as described in the flowchart of Fig. 10. When an attempt is made to 
move a data storage cartridge 600 to a drive 15, the association information in the 
cartridge memory 610 is compared with the association information of the drive 15 to 
determine if the data is accessible or not, as described in the flowchart of Fig. 1 1 . 
[52] Fig. 9 illustrates the process of the second embodiment and/or the third 
embodiment when data storage media is inserted into the library 10. A data storage 
cartridge 600 may be inserted through a special purpose import/export station or it 
may be inserted by opening a library door and placing the media on a storage shelf 
or in a drive. The process illustrated in the flow chart may also be used when the 
library 10 is initialized or brought up for the first time. This flowchart may be 
executed by a host computer, by the library 10, by an operator, or by some other 
means. The media insert operation is started at step 901. The media insert 
operation may be initiated by a host computer, by the library 10, by an operator, or 
by some other means. The cartridge memory 610 is modified in step 902. The 
cartridge memory modification comprises library association information and may 
comprise additional modification or corruption to make the data inaccessible as 
discussed above. The library association may comprise a logical library association, 
a physical library association, both or some other library association information. 
The association information is used to validate the data storage media 612 access in 
a drive 15, as will be discussed. The cartridge memory 610 may be modified by a 
component of the library 10. For example, the library accessor may contain the 
means to modify the cartridge memory 610. The cartridge memory 610 may also be 
modified by a data storage drive 15. For example, the library 10 may be used to 
move the data storage cartridge 600 into a drive 15 where the drive 15 would be 
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instructed to modify the cartridge memory 610. In another variation of this 
embodiment, the actual media 612 may be modified, rather than the cartridge 
memory 610. In this case, a component of the library 10, such as the drive 15, may 
have the means to modify the contents of the data storage media 612. In step 903, 
a check is made to see if any other data storage cartridges require modification of 
the cartridge memory 610 or the data storage media 612. If there are no additional 
cartridges to modify, as indicated in step 903, control moves to step 905 where the 
media insert operation is completed. If on the other hand, there are additional data 
storage cartridges to modify, as indicated in step 903 then control moves to step 904 
where the next data storage cartridge is selected. Control then moves to step 902 
where the newly selected cartridge is written. It will be appreciated that changes 
may be made to the process without deviating from the scope of the invention. 
[53] Fig. 10 illustrates a flowchart of a portion of the second, third and fourth 
embodiments when a data storage drive 15 is configured or initialized. This 
configuration or initialization may be initiated by a host computer, by the library, by 
an operator, or by some other means. The configuration or initialization may be 
performed once only, may be performed at some interval or may be performed 
based on some event. For example, it may occur at power-on or may occur as the 
result of a library configuration. At a minimum, the configuration or initialization 
comprises the sending of library association information to a memory in the drive 15. 
If the association information is not maintained in nonvolatile memory by the drive 15 
then it may be necessary to update the drive 15 at every power-on. The drive 15 
configuration begins at step 1001. The drive 15 is updated with library association 
information in step 1002. The library association information may be sent over a 
host interface, a library/drive interface, a user interface or some other interface. The 
interface may comprise a serial interface such as RS-232 or Firewire, a SCSI 
interface, a Fibre Channel interface, a wireless interface such as infrared or RF, or 
may comprise any communication interface as is known to those of skill in the art. In 
step 1003, a check is made to see if there are any other data storage drives to 
configure. If there are no more data storage drives to configure, as indicated in step 
1003, control moves to step 1005 where the drive configuration operation is 
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completed. If on the other hand, there are additional data storage drives to 
configure, as indicated in step 1003 then control moves to step 1004 where the next 
data storage drive 15 is selected. Control then moves to step 1002 where the newly 
selected drive 15 is configured. It will be appreciated that changes may be made to 
the process illustrated by the flowchart without deviating from the scope of the 
invention. 

[54] Fig. 11 is a flowchart illustrating a portion of the second, third and fourth 
embodiments after a request has been made to move a data storage cartridge 600 
to a drive 15. The request may come from a host computer, the library, a user, or 
some other means. The flowchart execution may begin before the move operation 
has started, during the move operation, after the move operation has completed or 
at some other time. This flowchart may be executed by a host computer, by the 
library, by an operator, or by some other means. The flowchart begins at step 1101. 
The library association information is read from the cartridge memory 610 in step 
1102. The library association information is read from the memory of the data 
storage drive 15 in step 1103. In step 1104, a check is made to see if the library 
association information from the cartridge memory 610 matches the library 
association information from the data storage drive 15. If the library association 
information of the drive 15 matches the library association information of the 
cartridge 600, as indicated in step 1104, control moves to step 1105 where the 
media move operation is completed. In addition, if other modifications have been 
made to the cartridge memory 610 or media 612 then these modifications will be 
corrected to allow proper media access. For example, the first embodiment may be 
combined with the second embodiment and/or the third embodiment. If on the other 
hand, the library association information from the drive 15 does not match the library 
association information from the cartridge 600, as indicated in step 1 104 then control 
moves to step 1106 where the data storage cartridge 600 is rejected. A rejected 
cartridge may cause a failure of the move operation, a failure to access the data on 
the cartridge, or some other means to indicate the inability to access the data on the 
data storage cartridge 600. Control then moves to step 1107 where the process of 
this flowchart ends. It will be appreciated that changes may be made to the process 
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illustrated by the flowchart without deviating from the scope of the invention. For 
example, if this process is executed by the drive 15, then it may not be necessary for 
the drive 15 to read the association information from the drive 15 in step 1103 
because the drive 15 already possesses this information. 

[55] In a fifth embodiment, this invention may be combined with the teachings of U.S. 
Patent Application Number 09/977,159, filed October 11, 2001 to provide an 
automated method of securing the data on data storage media in a removable media 
system. Data stored on the data storage media 612 is encrypted. The keys for 
gaining access to the stored data may be managed in part, or in full, by the 
automated data storage library 10. The library 10 may provide the keys to the data 
storage drive 15 during a move operation, after a library configuration, after a drive 
or library power-on, or at some other time. 

[56] Fig. 12 is a flowchart illustrating the process of the fifth embodiment when data 
storage media is moved to or unloaded from a data storage drive 15 or when data 
storage media is moved out of the library 10. The operation may be initiated by a 
host computer, an operator, the library controller or by some other source. This 
process may be executed by a host computer, by the library, by a drive, by an 
operator, or by some other means. The data storage media security operation 
begins at step 1201 either before, during or after a move or unload operation or 
some combination thereof. In step 1202, the operation is checked to see if it 
involves the movement of a data storage cartridge 600 to a drive 1 5. If the operation 
involves a move to a drive 15 as indicated in step 1202, then control moves to step 
1203 where the proper key(s) are supplied to the drive 15 for accessing data on the 
data storage media 612. For example, decryption key(s) may be provided to the 
drive 15 before, during or after the cartridge 600 has been loaded in the drive 15. 
The key(s) may be provided by the library, by a host, or through some other means. 
The keys may be used by the drive 15 to decrypt data for a host computer or for the 
library. Referring back to Fig. 12, after the key(s) have been sent to the drive 15 in 
step 1203, control moves to step 1204 where the data storage media security 
operation is completed. If however, the operation does not involve a move to a drive 
15 as indicated in step 1202, then control moves to step 1205 where the operation is 

20 

IBM Docket: TUC920030085US1 
Express Mail Label: EV332352727US 



checked to see if it involves an unload from a drive 15. If the operation does not 
involve an unload from a drive 15 as indicated in step 1205, then control moves to 
step 1208 where the data storage media security operation is completed. If 
however, the operation involves an unload from a drive 15 as indicated in step 1205, 
then control moves to step 1206 where the key(s) are removed, revoked, reset, 
disabled or otherwise prevented from allowing the access of data on the data 
storage media 600. This may comprise a message or command received by the 
drive 15 to prevent further data access. For example, the host or the library may 
send a command or message to the drive 15 to revoke the key(s) that were 
previously sent to the drive 15. Alternatively, the drive 15 may remove the key(s) 
without any specific command or request from the host or library. For example, the 
data storage drive 15 may clear the key(s) when it performs a data storage media 
eject operation. After the key(s) have been removed to make the data on the data 
storage media 612 inaccessible in step 1206, control moves to step 1207 where the 
data storage media security operation is completed. 
[57] In a variation of the fifth embodiment, the key(s) may be stored in the cartridge 
memory 610 and/or on the media 612 of the cartridge 600. This would provide the 
ability to unlock the encrypted data that may be stored on a data storage cartridge. 
The key(s) may be stored as the result of a request at a user interface of the library, 
from a host computer, from a remote computer coupled to the library 10 or through 
any other means. The request to unlock the media may require authentication in the 
form of one or more keys, a password, or any other authentication method known to 
those of skill in the art. When media is loaded into a drive, the drive may first check 
the media 612 or the cartridge memory 610 for the necessary key(s) to unlock the 
media. For example, if the fifth embodiment is combined with the first embodiment 
then the cartridge memory modification or corruption may comprise storing the 
key(s) in the cartridge memory, or removing the key(s) from the cartridge memory. 
This would apply equally to any modifications of the cartridge memory 610 or the 
media 61 2 of all of the embodiments of this invention. In another example, it may be 
desired to export the data storage cartridge where another drive could access the 
data stored on the media. If an exported cartridge is imported into another library, 
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the library could remove the key(s) from the cartridge memory 610 or media 612 and 
keep them for future media access. 
[58] This invention may be combined with the teachings of U.S. Patent 6,104,561 to 
provide an automated method of securing the data on data storage media in a 
removable media system. In this case, the password or read/write controls for 
gaining access to the data on the data storage medium may be managed in part, or 
in full, by the automated data storage library 10. The library 10 may provide the 
password or read/write controls to the data storage drive 15 when a valid move or 
unload command has been issued. The flowchart of Fig. 12 may be used to 
illustrate this embodiment by substituting "key(s)" with "password or read/write 
controls". 

[59] The objects of the invention have been fully realized through the embodiments 
disclosed herein. Those skilled in the art will appreciate that the various aspects of 
the invention may be achieved through different embodiments without departing 
from the essential function of the invention. The particular embodiments are 
illustrative and not meant to limit the scope of the invention as set forth in the 
following claims. 
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